09-25-2006 10:34 AM - edited 03-09-2019 04:18 PM
I have site-to-site tunnel configured between my PIX515e and a Nortel Contivity 1010 (I don't manage this device).
The tunnel has been up and running for about 9 months now. It seems that after a few weeks the tunnel will stop working (i.e; users on one side can't reach a host on the other side). If I issue the SHOW IPSAKMP SA command at the PIX, it will show STATE=QM_IDLE, PENDING=0, CREATED=141 (or some other large number of created SAs). Every other site-to-site tunnel that I have will show no more than 2 or 3 SAs created. For what it is worth, there is usually very little traffic going over this tunnel (1 or 2 users on each side).
If I enter the command CLEAR CRYPTO ISAKMP SA, the SAs are dropped, the SA count reset to zero, and the tunnel starts working again.
Any ideas what the high SA count means and if/why this would prevent my tunnel from working?
Thanks in advance for any help offered.
09-29-2006 12:00 PM
Check there any is mismatch with SA lifetimes in both site.
SA Lifetimes:
The Phase 1 (IKE) lifetime on a PIX firewall is 86400 (24hours). The Phase 2 (IPSec) lifetime on the PIX is 3600 seconds (1 hour).
When a tunnel is initialized an SA (Security Association) is created for each Phase (1 & 2) and the timers starts counting down. At the end of an hour the PIX will delete it's Phase 2 SA unless the tunnel is active. If the tunnel is active when the 1 hour timer expires, then a new SA will be negotiated between the PIX and the other IPSec peer.
12-14-2006 02:35 PM
When the new SA is being negotiated, is the connection from a user using VPN client get drop and he has to reconnect again manually?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide